Hasgeek, India’s leading community of tech startups and developers, wrote to Mr. PP Chaudhary, Chairperson, Joint Parliamentary Committee (JPC) on Personal Data Protection (PDP) Bill conveying the concerns of India’s tech practitioners with the Bill and what they foresee as significant compliance challenges for Indian companies with the current iteration of the Bill.
To incorporate the fundamental spirit of a democracy that involves participative citizenry in the policy-making process, Hasgeek has requested the JPC to invite public consultations, with representation from small, medium, and large technology organizations, and the challenges they foresee in implementing the PDP Bill.
The submission was prepared by the Privacy Mode programme at Hasgeek. Privacy Mode programme works actively with the technologist and tech startup ecosystem in India to understand their views and concerns about privacy and data security. The submission is consolidated from the study on Non-Personal Data (NPD) with engineering and product teams in startups, founders, and venture capitalists, surveys conducted with tech practitioners on building privacy features, and views shared in India’s first Data Privacy Product and Engineering Conference. The submission is the voice of India’s bustling tech ecosystem, the very practitioners who will have to get down to the business of implementing the PDP Bill for their respective organizations.
The submission highlights the concerns of the small and medium enterprises with the PDP Bill regarding ambiguous definitions, data localization and lack of alignment with international regulations, cost of compliance, powers of the Data Protection Authority (DPA), and the governance of non-personal data. Huge number of businesses and startups in India are enabled by technology and cross border flow of data Provisions clamping down on such free flow of data will cause difficulties for tech entities. The JPC must consider global developments and ensure that entities that have already begun their efforts towards compliance with international legislations will not be forced to incur huge financial pressures for compliance with the PDP Bill.
The PDP Bill will increase the cost of compliance for all businesses, owing to the requirements for hiring a Data Protection Officer, excessive documentation, and grievance redressal processes. There is a marked lack of operational feasibility for smaller organizations in some of the most crucial clauses of the Bill, highlighting the need for more consultations with stakeholders of different sizes, nature of work, and manpower to effectively create easier categorization for governance practices and better compliance.
The community has cumulatively highlighted that the DPA must also focus on capacity building and upskilling for compliance and privacy roles, and support/partner with organizations that undertake such initiatives.
Indian mid-sized entities aim to grow and capture global markets. The PDP Bill must not halt this growth and innovation. Small and medium organizations struggle to establish a business model with repeatable unit economics, a paramount concern in the early life cycle of the organization. Despite the intent to embed privacy practices in the product-development cycle, small and medium organizations do not have the skills or budgets. Hence, Hasgeek recommends the following approach to adhere to PDP compliance:
1. Differential compliance with a different set of rules based on the organization’s asset size and number of records that they are processing. If organizations are forced to follow a large set of controls or regulations which are beyond their business value, compliance will be weak or even circumvented.
2. Scaled down data protection practices which can be implemented by small businesses. These can be proportional to a risk score tagged to the business (risk score needs to be objective; based on turnaround or size of the (user) community that the business serves).
Hasgeek fosters conversations between technologists to encourage the spread of good ideas and advance the ecosystem as a whole. Practitioners from thousands of startups and established companies have participated in the Hasgeek network since 2010 to review the work of their peers and adopt their ideas.
The Privacy Mode programme at Hasgeek focuses on data privacy and security in the Indian tech ecosystem, and has produced two research reports and hosted a conference in 2021.
